Skip to main content
SpringerLink
Log in

Rootkit modeling and experiments under Linux

  • SSTIC 2007 Best Academic Papers
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This article deals with rootkit conception. We show how these particular malicious codes are innovative comparing to usual malware like virus, Trojan horses, etc. From that comparison, we introduce a functional architecture for rootkits. We also propose some criteria to characterize a rootkit and thus, to qualify and assess the different kinds of rootkits. We purposely adopt a global view with respect to this topic, that is, we do not restrict our study to the rootkit software. Namely, we also consider the communication between the attacker and his tool, and the induced interactions with the system. Obviously, we notice that the problems faced up during rootkit conception are close to those of steganography, while however showing the limits of such a comparison. Finally, we present a rootkit paradigm that runs in kernel-mode under Linux and also some new techniques in order to improve its stealth features.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. King, S.T., et al.: Subvirt: Implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)

  2. Rutkowska, J.: Stealth malware taxonomy (2006)

  3. truff. Infecting loadable kernel modules. Phrack 61 (2003)

  4. Microsoft Corporation.: Digital signatures for kernel modules on systems running windowsăvista. Technical report, Microsoft Corporation (2006)

  5. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis (2004)

  6. sd and devik. Linux on-the-fly kernel patching without l km. Phrack 58 (2001)

  7. c0de. Reverse symbol lookup in linux kernel. Phrack 61 (2003)

  8. Dornseif, M., et al.: Firewire—all your memory are belong to us. In: CanSecWest/core05 (2005)

  9. Boileau, A.: Hit by a bus: physical access attacks with firewire. In: Ruxcon 2006 (2006)

  10. Rutkowska, J.: Beyond the cpu: defeating hardware based ram acquisition tools (part i: Amd case). In: Black Hat DC 2007 (2007)

  11. Cesare, S.: Syscall redirection without modifying the syscall table (1999)

  12. kad. Handling interrupt descriptor table for fun and profit. Phrack 59 (2002)

  13. buffer. Hijacking linux page fault handler. Phrack 61 (2003)

  14. stealth. Kernel rootkit experience. Phrack 61 (2003)

  15. Cesare, S.: Kernel function hijacking (1999)

  16. Rutkowski, J.K.: Execution path analysis: finding kernel based rootkits. Phrack 59 (2002)

  17. Lawless, T.: On intrusion resiliency (2002)

  18. Sparks, S., Butler, J.: Raising the bar for windows rootkit detection. Phrack 63 (2005)

  19. Soeder, D., Permeh, R.: Eeye bootroot: a basis for bootstrap-based windows kernel code (2005)

  20. Kumar, N., Kumar, V.: Boot kit (2006)

  21. Rutkowska, J.: Subverting vista kernel for fun and profit. In: Black Hat in Las Vegas 2006 (2006)

  22. Filiol É. (2005). Computer Viruses: from Theory to Applications. IRIS International Series. Springer, France

    Google Scholar 

  23. Maximiliano Caceres. Syscall proxying—simulating remote execution (2002)

  24. grugq. Remote exec. Phrack 62 (2004)

  25. Pluf and Ripe. Advanced antiforensics: self. Phrack, 63 (2005)

  26. Dralet, S., Gaspard, F.: Corruption de la Mémoire lors de l’Exploitation. In: Symposium sur la Sécurité des Technologies de l’Information et des Communications 2006, pp. 362–399. École Supérieure et d’Application des Transmissions (2006)

  27. Raynal, F., Berthier, Y., Biondi, P., Kaminsky, D.: Honeypot forensics: analyzing system and files. IEEE Secur. Priv. J., aovt (2004)

  28. Filiol É. (2007). Techniques virales avancTes. Collection IRIS. Springer, France

    Google Scholar 

  29. Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: the bradley virus. In: 14th EICAR Conference, StJuliens/Valletta - Malta (2005)

  30. Riordan J. and Schneier B. (1998). Environmental key generation towards clueless agents. Lect. Notes Comput. Sci. 1419: 15–24

    Article  Google Scholar 

  31. Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. février (1987)

  32. Wolf, M.: Covert channels in lan protocols. In: LANSEC ’89: Proceedings on the Workshop for European Institute for System Security on Local Area Network Security, pp. 91–101, London, UK, 1989. Springer, Heidelberg

  33. Rowland, C.H.: Covert channels in the tcp/ip protocol suite. First Monday, mars (1996)

  34. Raynal, F.: Les canaux cachTs. Techniques de l’ingTnieur, dTcembre (2003)

  35. Filiol, E., Josse, S.: A statistical model for viral detection undecidability. In: Broucek, V. (ed.) J. Comput. Virol., EICAR 2007 Special Issue, 3(2) (2007)

  36. The Honeynet Project Staff. Know your enemy: Sebek—a kernel based data capture tool (2003)

  37. bioforge. Hacking the linux kernel network stack. Phrack 61 (2003)

  38. Filiol, E.: Formal model proposal for (malware) program stealth. In: Proceedings of the 17th Virus Bulletin Conference (2007)

  39. Cachin, C.: An information-theoretic model for steganography. In: Proceedings of the International Workshop on Information Hiding (1998)

  40. 7a69ezine Staff. Linux per-process syscall hooking (2006)

  41. Intel. IA-32 Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference (2003)

  42. Pragmatic and THC.: (nearly) Complete Linux Loadable Kernel Modules. The definitive guide for hackers, virus coders and system administrators (1999). http://newdata.box.sk/raven/skm.html

Download references

Author information

Authors and Affiliations

  1. LAAS-CNRS, University of Toulouse, 7 Avenue du Colonel Roche, 31077, Toulouse Cedex 4, France

    Éric Lacombe & Vincent Nicomette

  2. Sogeti ESEC, 6/8 rue Duret, 75116, Paris, France

    Frédéric Raynal

  3. MISC Magazine, Diamond Editions, 20142, 67603, Sélestat Cedex, France

    Frédéric Raynal

Authors
  1. Éric Lacombe
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frédéric Raynal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vincent Nicomette
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Éric Lacombe.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lacombe, É., Raynal, F. & Nicomette, V. Rootkit modeling and experiments under Linux. J Comput Virol 4, 137–157 (2008). https://doi.org/10.1007/s11416-007-0069-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0069-6

Keywords

Search

Navigation